[Firehol-support] Stateless rules

Tsaousis, Costa costa at tsaousis.gr
Wed Nov 26 22:35:15 GMT 2014 

Guillaume,

It is not possible to allow anything from the DMZ to the internet and
not the other way around in a stateless manner.
This can only be done statefully. It is a feature of the netfilter
connection tracker, which is not utilized if you use stateless rules.

So, if you need this feature, you will have to sync connection
tracking between your 2 router boxes and go back to stateful rules.

Costa


On Wed, Nov 26, 2014 at 5:40 PM, Guillaume Lacroix <gl at worldline.fr> wrote:
> Hi Costa,
>
> Thanks a lot, I could make it work as expected. One last thing tho, is there
> a possibility to open all the routes from the DMZ to the internet and not
> the other way round ?
>
> More specifically, I have open some route from the internet to my web server
> (IP 123.123.123.123) :
>
> router internet_to_web inface any outface any dst 123.123.123.123
> route anystateless myhttp accept dport 80 proto tcp
> route anystateless myhttps accept dport 443 proto tcp
> route all deny
>
> With that, only http and https traffic is allowed to hit the web server.
> Now, I would like to allow the web to connect to the internet with no
> restrictions (DNS, mail, NTP, whatever…). So, before the previous command, I
> have add :
>
> router web_to_internet inface any outface any src 123.123.123.123
>         route anystateless myext accept
>
> router internet_to_web…. (same as before)
>
> In a statefull mode, this works as expected, but in a stateless mode, this
> opens symmetrically all the routes in and out, so the restriction on
> http/https is no more used.
>
> Is there any workaround or the only choice is to set the web_to_internet in
> a statefull mode (and use conntrack sync mechanism) ?
>
> Thx and regards,
> Guillaume
>
> Le mercredi 19 novembre 2014 à 19:17, Tsaousis, Costa a écrit :
>
> Yes, it works for both interfaces and routers.
>
> Costa
>
> On Wed, Nov 19, 2014 at 7:12 PM, Guillaume Lacroix <gl at worldline.fr> wrote:
>
> Hi Costa,
>
> Thanks a lot for the tip. Does it work as well with route ? Something like :
>
> router in_to_web inface myin outface myout dst 123.123.123.123
> route anystateless myhttp accept dport 80 proto tcp
> route anystateless myhttp accept dport 80 proto tcp
>
> The reason is that I use different FWs on different routers for redundancy.
> Each router is connected to a different ISP within a same BGP session, so a
> request may arrive to any of the FWs and so the router should not keep a
> track of the session (the other solution would have been to update the
> contrack on the different FWs but I don’t want to do that).
>
> Thanks,
> Guillaume
>
> Le mercredi 19 novembre 2014 à 18:01, Tsaousis, Costa a écrit :
>
> Hi Guillaume,
>
> Why do you want to do this? Are you facing any issues with the
> netfilter state machine?
>
> Anyway, if your really want to do it, use this:
>
> server anystateless myhttp accept dport 80
> server anystateless myhttps accept dport 443
>
> Costa
>
>
>
> On Wed, Nov 19, 2014 at 3:56 PM, Guillaume Lacroix <gl at worldline.fr> wrote:
>
> Hello,
>
> I have gone through the FH configuration, but I couldn’t find a way to
> specify some rules statelessly (I can only set a destination stateless using
> « anystateless » command).
>
> Is there a way, for example, to set set a route stateless for HTTP/HTTPS
> only ?
>
> Thanks and regards,
> Guillaume
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>

More information about the Firehol-support mailing list